Affected versions

Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13
and 4.1.0 to 4.1.2 versions of the Symfony HttpFoundation component are affected by this
security issue.

The issue has been fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.

Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not
maintained anymore.

Description

Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.

The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.

The CfP is now open!

We are looking for talks about Symfony features, related libraries, developer workflows, DevOps, infrastructure technologies, and modern Javascript. The conference main language, as always, will be German. However, we will accept a few selected talks in English, so feel free to submit if you are from abroad.

Who are we looking for?

Everybody, actually! If you are not a seasoned speaker, and are unsure if you are ready to talk at a SymfonyLive, we are there to support you! Contact us on Twitter or directly via email, or come and visit us at one of our user groups in Berlin or Cologne. We are happy to provide tips, tricks, and mentoring on your topic and for writing your abstract. As always, all speakers will be reimbursed for travel and hotel expenses, are invited to our special speakers’ dinner, and get full access to the conference.

The CfP process does not consider speakers based on any racial, gender or physical criteria. All abstracts are evaluated solely based on content and relevance to the conference.

Our goal is to provide a safe and comfortable environment for all Symfony conferences. As both a speaker and an attendee, you agree to abide by our code of conduct. SensioLabs will provide a care team at the conference venue who will be open to any and all your questions, and will help to solve any situation.

Workshops

SymfonyLive offers two days of workshops, covering topics from beginner to advanced, from some of the best workshop trainers around. The workshop schedule is published already, so be sure to hop over and get your ticket!

We’re very pleased to announce that the conference schedule for this year’s edition of the SymfonyLive conference in London is online. Join us on September 28th for an intense conference day dedicated to Symfony, divided into 2 tracks.

Discover now all the speakers selected and the talks they will present there! We’re very excited to welcome 14 speakers at the conference (in alphabetical order):

Zan Baldwin who will be speaking about “The Symfony Open-source Community” at the closing Keynote! Stay tuned for more details to be announced soon.

Neal Brooks will speak about “Running Symfony on AWS Lambda”. If you ever find yourself deploying your Symfony app to your EC2 boxes and wondering if you're using your resources wisely, then this talk is for you!

Michael Cullum will be talking about “Building first-class REST APIs with Symfony”. In this talk Michael will show you how you can build a simple maintainable REST API using the Symfony components that can perform some simple operations in ways that are clean and simple.

Kévin Dunglas, Symfony Core Team member, will be presenting a talk about “Panther: test your Symfony apps with real web browsers”. Symfony Panther is a brand new e2e testing and web scrapping library written in PHP that drives real browsers thanks to the WebDriver protocol from the W3C. Let’s meet the feline!

Sandra Eriksson will present a talk about “What is accessibility, and why I should care?”. Find out more about the accessibility area, WCAG (Web Content Accessibility Guidelines) and how to improve accessibility in ICT products (Information Communications Technology) for users with disabilities.

Christian Flothmann and Christopher Hertel will present a talk entitled “Using Symfony Forms with Rich Domain Models” to understand the different aspects of a rich domain model that makes it hard to use it in conjunction with the Form component.

Nicolas Grekas, Symfony Core Team member, who will talk about “Symfony Cache: a premium recipe to fast apps”. This talk will show you that caching might be the most efficient strategy to fast apps.

Tobias Nyholm will be speaking about “Symfony without the framework bundle”. This talk will go over performance to see what you can do to make an application run faster.

Fabien Potencier, Symfony founder and project lead, will be on stage for the opening Keynote! Stay tuned for more details to be announced soon.

André Rømcke will speak about “Take your Http caching to the next level with xkey & Fastly”. FOSHttpCache is extending Symfony in many ways, in this talk, you’ll discover how to use it!

Samuel Roze, Symfony Core Team member, who will present a talk entitled “Symfony Messenger: Messages, Queues, Workers and more” about the new Messenger component that he created a few months ago.

Erin Taylor and Gawain Lynch, will be speaking about “GDPR for web development”. In this talk they’ll give an overview of the main principles of GDPR and their relevance to web development. They’ll describe use cases for back-end and front-end developers working for Symfony and its ecosystem.

Following the new features we've added in May in the Events & Meetups section, we're pleased to introduce a brand new section within the main website menu:
Symfony Events. This will enable you to find a Symfony event near you more easily.

The Events section itself has also been improved, again! We've added a map where you can see at a glance where are organized all the upcoming Symfony events. You can find on the map: all the upcoming official Symfony conferences pinned in red and all the upcoming Symfony community events pinned in blue.

Remember that lately new features were added to this section: all the past events are still shown and the «add to my calendar» button was added. But there is more! You can now find all the Symfony meetups listed in the upcoming community events. Any Symfony meetup created on meetup.com is automatically listed on Symfony website. And you can also add them to your calendar!

We aim to create a unique place for you to find the next Symfony event organized near you! If your meetup is not on the list, contact us or add it on the website. Once you add your event here or on meetup, a tweet is sent from @symfony to announce it and you can find it on the map. This way, all the Symfony events will get more visibility for everyone within the community. You won't miss anymore a Symfony event organized near you!

A few years ago, we introduced the Symfony Installer as the fastest way to
create new Symfony projects. While Composer took up to several minutes to create
a new project, Symfony Installer did the same in less than ten seconds.

The trick was that the installer downloaded a ZIP archive with all the
dependencies required by the specific Symfony version you were installing, so
it was not necessary that Composer resolved the project dependencies.

However, with the release of Symfony 4 we deprecated the Symfony Installer in
favor of Composer, because we wanted to use standard development tools as much
as possible. Sadly this made creating new Symfony projects slower and, in some
cases, it triggered "out of memory" exceptions while Composer was resolving the
dependencies.

During the past months we've worked hard to improve the performance of
Symfony Flex, the package used to create and manage Symfony apps. A few days
ago, we made the two biggest improvements ever:

The two skeletons used to create new Symfony projects, symfony/skeleton (for
small apps, APIs, microservices, etc.) and symfony/website-skeleton (for
traditional web applications) now include a composer.lock file to avoid
Composer's dependency resolving (see symfony/skeleton #66 and symfony/web-skeleton #11).
An automatic process ensures that those composer.lock files are updated
whenever a dependency has a new version.

Symfony Flex removes all the legacy Composer tags from all Symfony components
before creating the project. This removes hundreds of unused tags and saves
Composer hundreds of thousands of unnecessary checks.

Thanks to these changes, creating new Symfony projects is between 60% and 90%
faster and updating existing projects is up to 50% faster. Actual results may
vary depending on your Composer cache, the size of your project and the speed of
your Internet connection.

The SymfonyLive conference in the USA will take place from October 9th to 12th in San Francisco.

Never been at a SymfonyLive conference before? Join us at the SymfonyLive USA: it is a 4-day event, the only one dedicated to Symfony in the USA, where you can learn all the latest news about Symfony:

Two-day workshop: Tuesday, 9th and Wednesday, 10th

Two-day conference: Thursday, 11th and Friday, 12th

The Call for Papers is still open for a few days, if you have any best practices, experience, tips, use case to share with the US Symfony community, think about submitting a talk proposal for the conference. CFP is open until July 8th to anyone in the Symfony community. Unexperienced speakers are welcome, we've created a mentoring program for speakers to help anyone to take the plundge and submit a talk proposal. You can find all the information about our mentoring program on the dedicated blog post!

Interested in learning more about Symfony? Register to the pre-conference workshops too, organized on October 9th and 10th. Several workshops are scheduled:

Getting up and running with Symfony (2 days)

Learn how to efficiently use the service container and register your own services. You'll also discover how to setup and run a unit and functional tests suite with PHPUnit to improve the quality and stability of your code.

Extending and Hacking Symfony (2 days)

Understand how to easily hack and extend some parts of the Symfony framework thanks to the dependency injection container and how to master some advanced tools such as the form and validation components, as well as the event dispatcher system to decouple your code.

Discover the new practices recommended by the Symfony Core team. You will learn how to install third-party packages with Symfony Flex, configure your application with environment variables or exploit the new features of the dependency injection container.

Get your combo ticket for the pre-conference workshops and the conference at the early bird price of $1,543 until July 8th.

Enjoy the atmosphere of downtown San Francisco while hearing all the latest and best developments with Symfony! See you there!

This week, the upcoming Symfony 4.2 version added the ability to clear form errors, improved Doctrine event listeners to always lazy load them and tweakedsome the VarDumper output. In addition, this is the 600th weekly summary for the Symfony project. Thanks for reading us and for being part of the Symfony community!

SymfonyLive London is only 3 months away! Did you take your ticket yet? Early bird registration is still open for a few days, get your conference ticket at 129£ until July 1st. After that, regular price will apply and the conference ticket will be at 169£, save 40£ on your conference ticket now!

SymfonyLive London 2018 is a 2-day event on September 27th, workshop day and September 28th, 2 tracks conference day.

You can buy a combo ticket to register for a workshop and the conference at 543£ until July 1st (early bird price). 4 different workshops are scheduled on September 27th, discover them:

Symfony 4 Best Practices by Nicolas Grekas: Symfony 4 changes the way you develop web applications. During this workshop, you will discover the new practices recommended by the Symfony Core team.

Building API-driven apps with API Platform by Kévin Dunglas: API Platform has become a very popular framework to build advanced and modern API-driven web projects. After an overview of modern API patterns and formats (REST, Swagger, hypermedia, HATEOAS, JSON-LD, Hydra, Schema.org, GraphQL...), we'll learn how to use and extend the most popular features of the API Platform API component.

Symfony Messenger by Samuel Rozé: The Messenger component just landed in Symfony 4.1. It drastically simplifies the use of message buses and handling asynchronous operations using message queues such as RabbitMq. Discover all about it by the creator of the component.

Lightning Fast Tests by Jakub Zalas: Learn everything from writing good unit tests, through using test doubles (like stubs or mocks), to writing integration tests. Learn how to structure your project to benefit from a test-first design.

The conference schedule is coming soon! The Call for Papers ended last Monday and we'd like to thank all the people who submitted a talk proposal there. We're currently reviewing all the submissions we received but we can already announce the first selected speakers!

We're excited to welcome Michelle Sanver who will speak about "Using the Symfony WorkFlow component as a state machine makes handling money easier!". We're also very pleased to welcome Neal Brooks who will talk about "Running Symfony on AWS Lambda". And we're thrilled to welcome Sandra Eriksson who will be speaking about "What is accessibility, and why I should care?". The selected speakers and their talk descriptions will be soon available online, along with the conference schedule. Stay tuned for more information about all the selected speakers.

Ready to join us there? Take now your ticket for SymfonyLive London 2018 to enjoy our early bird and save money! You only have 3 days left to register at early bird, hurry up!

Come to attend SymfonyCon Lisbon, conference days are on December 6th and 7th, and the hackday is on December 8th. Come for the conference, stay for the hackday! A lot of surprises are waiting for you, don’t miss the event.

Call for Papers is also open, until June 22nd. If you want to speak at the SymfonyCon, send us your talk proposals. We are looking for highly technical talks related to Symfony and its ecosystem and original talks that haven't been delivered in previous conferences. All criteria regarding the CFP are listed on the website. Don’t hesitate to send more than one proposal to increase your chances of being selected.

Symfony 4.1.0 is going to be released later today. As for any other Symfony
minor release, our backward compatibility promise applies and this means that
you should be able to upgrade easily without changing anything in your code.

We've already blogged about the great 4.1 new features, but here is a curated
list of the most relevant changes (this version has a total of 200 new small and
big features):

Symfony comes with two optional base classes for controllers: Controller and
AbstractController. They are similar but AbstractController is
recommended because it's more restrictive: it does not allow you to access
services directly via $this->get() or $this->container->get().

In Symfony 4.1, we improved AbstractController to add the commonly used
helper getParameter() to get the value of any container config parameter.
This change will allow to transition from Controller to AbstractController
more easily.

In Symfony 3.4 we introduced a PHP DSL to configure routes and services. In
Symfony 4.1 we improved it adding support for anonymous services, which is
useful when you don't care about the service name (e.g. when decorating services).

1
2
3
4
5
6

// app/config/services.phpreturnfunction(ContainerConfigurator$container){$services=$container->services();// to create an anonymous service, pass null as its ID argument$services->set(null,stdClass::class)->tag('listener');};

In Symfony 4.1, the ReflectionExtractor class of the PropertyInfo component
added a new $enableConstructorExtraction argument to allow introspecting
property information using the constructor arguments.

In Symfony 4.1, the MoneyType form field defines a new option called
rounding_mode to control how the values are rounded. Before, all values were
rounded towards "the nearest neighbor" (ROUND_HALF_UP) so 15.999 was
rounded as 16.00. Now you can set it for example to ROUND_DOWN to display
it as 15.99:

Updating LDAP entries with the update() is slow in some scenarios. That's
why in Symfony 4.1 there are two new methods called addAttributeValues() and
removeAttributeValues() that add/remove values to a multi-valued attribute:

In Symfony 4.1, routes can define (in YAML, XML or PHP) a new option called
keepQueryParams. By default it's false, but if you set it to true,
the query parameters (if any) are added to the redirected URL:

The PropertyInfo component introspects information about class properties by
using different sources of metadata. In Symfony 4.1, one of those sources (the
ReflectionExtractor class) added support for hasser methods.

This will allow for example to make a property readable by defining methods like
hasChildren() instead of just getChildren().